b'     Statement of Gregory H. Friedman\n\n             Inspector General\n\n         U.S. Department of Energy\n\n\n                 Before the\n\nSubcommittee on Oversight and Investigations\n\n                   of the\n\n    Committee on Energy and Commerce\n\n       U.S. House of Representatives\n\n\n\n\n                                 FOR RELEASE ON DELIVERY\n                                                     10:00 AM\n                                   Thursday, September 25, 2008\n\x0cMr. Chairman and members of the Subcommittee, I am pleased to be here at your request to\n\ntestify on matters relating to cyber security at the Department of Energy\xe2\x80\x99s (Department) national\n\ndefense laboratories. These laboratories, which are part of the National Nuclear Security\n\nAdministration (NNSA), possess and process some of the Department\xe2\x80\x99s most sensitive\n\ninformation; information which is critical to the Nation\xe2\x80\x99s defense.\n\n\n\nBackground\n\n\n\nThe Office of Inspector General (OIG) has a long-standing, proactive program to assess the\n\neffectiveness of the Department of Energy\xe2\x80\x99s cyber security strategy. Since 2002, the OIG has\n\ncategorized information security as one of the Department\xe2\x80\x99s most significant management\n\nchallenges. In April of 2007, I testified before this Subcommittee on the special inquiry\n\nconducted by my office regarding a diversion of classified data from the Los Alamos National\n\nLaboratory; an event made possible, in large part, by cyber security related weaknesses. The\n\nOIG has continued its efforts in this area by conducting a number of cyber security reviews\n\nthroughout the Department, including NNSA and its national defense laboratories \xe2\x80\x93 Los Alamos,\n\nLawrence Livermore, and Sandia.\n\n\n\nReview of National Security Information Systems\n\n\n\nIn response to our special inquiry on the diversion of classified data at Los Alamos, the\n\nDepartment initiated a wide range of actions to address cyber security weaknesses related to\n\n\n\n\n                                                 1\n\x0cclassified systems. For instance, the Department updated and strengthened its national security\n\ninformation systems policy for segregation of duties and system access techniques.\n\n\n\nEarlier this year, we conducted an extensive review of the process to certify and accredit\n\nclassified national security information systems at the NNSA laboratories. Certification and\n\naccreditation (C&A) is a critical part of the risk management process and is vital to\n\nunderstanding and mitigating cyber-related vulnerabilities. This process is designed to ensure\n\nthat systems are secure prior to beginning operation and that they remain so throughout their\n\nlifecycle. It includes formal steps to: (1) recognize and address risks, (2) determine whether\n\nsystem security controls are in place and operating effectively, and (3) ensure that changes to\n\nsystems are adequately tested and approved. Our findings relevant to the NNSA and its national\n\ndefense laboratories revealed that:\n\n       \xe2\x80\xa2   Critical security functions had not been adequately segregated, providing the\n\n           opportunity for system security officers to gain access and modify systems without\n\n           review or approval, creating an environment in which controls could be manually\n\n           overridden;\n\n       \xe2\x80\xa2   Risks associated with classified and unclassified systems operating in the same\n\n           environment had not always been adequately evaluated. This weakness \xe2\x80\x93 exacerbated\n\n           by the lack of segregation of duties \xe2\x80\x93 increased the risk that classified information\n\n           could be transferred to unclassified systems;\n\n       \xe2\x80\xa2   Users at one laboratory were allowed to manually change passwords, a practice\n\n           specifically prohibited by the Department and one which rendered passwords on\n\n           classified systems more susceptible to compromise;\n\n\n\n\n                                                 2\n\x0c       \xe2\x80\xa2   At the same laboratory, a number of security plans were not reviewed and approved\n\n           by a Federal official, depriving NNSA of the opportunity to ensure that all risks to the\n\n           systems were addressed;\n\n       \xe2\x80\xa2   System security plans omitted information on hardware such as servers, network\n\n           printers and scanners, the presence of which could have created a security\n\n           vulnerability and enabled the unauthorized processing, diversion or theft of classified\n\n           material. This condition paralleled one of our concerns related to the diversion of\n\n           classified information at Los Alamos; and,\n\n       \xe2\x80\xa2   Contingency plans outlining actions necessary to resume operations in the event of a\n\n           disaster were not always developed or were incomplete.\n\n\n\nThe Department had strengthened policies designed to protect national security information\n\nsystems in response to our recommendations following the Los Alamos incident. However,\n\nNNSA had not been fully successful in ensuring that its laboratories implemented these updated\n\nand stronger requirements. For example, two laboratories completed their C&A process using\n\noutdated requirements, leaving a number of systems vulnerable to control weaknesses such as the\n\nlack of segregation of duties and strong authentication techniques. In addition, Headquarters and\n\nfield site officials had not effectively reviewed security plans to ensure that they were accurate\n\nand that they adequately addressed system risks.\n\n\n\n\n                                                 3\n\x0cReview of Unclassified Systems\n\n\n\nThe OIG has also devoted substantial resources to evaluating security measures designed to\n\nprotect the Department\xe2\x80\x99s unclassified information systems and data. The Federal Information\n\nSecurity Management Act requires that agency Inspectors General conduct an annual\n\nindependent evaluation of their Department\xe2\x80\x99s unclassified cyber security program and practices.\n\nOur recently issued Fiscal Year (FY) 2008 evaluation revealed a mixed-picture: on one hand,\n\nthe Department had made incremental improvements in its unclassified cyber security program.\n\nFor example, various sites had taken action to address weaknesses we identified during our FY\n\n2007 evaluation by strengthening configuration management, updating policy, and incorporating\n\ncyber security performance requirements into management and operating contracts. However, a\n\nnumber of weaknesses that exposed systems to an increased risk of compromise still existed\n\nwithin the Department. This specifically included NNSA and its national defense laboratories.\n\nIn particular:\n\n        \xe2\x80\xa2   Two of the three defense laboratories had not yet completed certification and\n\n            accreditation of certain business systems, a deficiency we first reported in FY 2006;\n\n        \xe2\x80\xa2   System security plans at one laboratory did not include mandatory security controls.\n\n            Such information is necessary for management to determine that all system risks have\n\n            been fully considered and that mitigating controls are in place;\n\n        \xe2\x80\xa2   At one laboratory, unneeded computer services had not been disabled on over 40\n\n            servers that hosted publicly accessible websites. These services, which in a number\n\n            of instances could be accessed without the use of passwords or other authentication\n\n            techniques, increased the risk of malicious damage to the servers and the networks on\n\n            which they operated;\n\n                                                 4\n\x0c       \xe2\x80\xa2   All three laboratories had not yet completed the deployment of the Federally-\n\n           mandated standard desktop configuration, an action that when implemented is\n\n           intended to significantly enhance cyber-related controls;\n\n       \xe2\x80\xa2   Computer incident reports did not always include information needed for reporting to\n\n           law enforcement and for subsequent analysis for trending. Further, reported\n\n           information was not always shared with other Department elements; and,\n\n       \xe2\x80\xa2   At one laboratory, vulnerabilities were identified that may have allowed unsupervised\n\n           foreign visitors to inappropriately access the site\xe2\x80\x99s intranet. Such practices, if\n\n           exploited, could have permitted those individuals to probe the laboratory\xe2\x80\x99s network\n\n           for vulnerabilities, implant malicious code, or remove data without authorization.\n\n\n\nIssues Requiring Continuing Attention\n\n\n\nWhile NNSA has taken steps to address a number of weaknesses identified in the past, additional\n\naction is necessary to protect systems and the information they contain from increasingly\n\nsophisticated and persistent attacks. Since the end of FY 2007, the Department has experienced\n\na 45 percent increase in reported cyber security incidents. This significant increase demonstrates\n\nthe need for sustained action in securing the Department\xe2\x80\x99s information systems.\n\n\n\nOur work suggests that there are some recurring challenges that NNSA should consider as it\n\nmoves forward. Specifically, NNSA should:\n\n\n\n    1. Implement, in a timely manner, all relevant Federal and Departmental cyber security\n\n        requirements;\n\n                                                 5\n\x0c    2. Strengthen the management review process by better monitoring field sites to ensure the\n\n       adequacy of cyber security program performance; and,\n\n    3. Ensure that all outstanding cyber security weaknesses are corrected in a timely manner.\n\n\nTo achieve the recommended reforms as promptly as possible, NNSA should establish firm\n\nschedules with specific implementation timeframes and benchmarks.\n\n\nOngoing Inspector General Efforts\n\n\n\nBoth cyber and physical security continue to be pressing management challenges. For that\n\nreason, the Office of Inspector General has ongoing activities to examine information\n\ntechnology and systems security, implementation of physical security technology upgrades,\n\nprotection of sensitive unclassified information, and accounting for nuclear materials in the\n\nhands of domestic licensees.\n\n\n\nMr. Chairman, this concludes my statement and I would be pleased to answer any questions you\n\nmay have.\n\n\n\n\n                                                6\n\x0c'